feat: add application name as property and update purl with subpath t…

…o application (#71) * add application name as property and update purl with subpath to application Signed-off-by: nscuro <[email protected]> * update examples Signed-off-by: nscuro <[email protected]> Closes #67
CycloneDX · Sep 25, 2021 · 43e1e14 · 43e1e14
1 parent be6a7f6
commit 43e1e14
Show file tree

Hide file tree

Showing 10 changed files with 131 additions and 37 deletions.
diff --git a/e2e/testdata/snapshots/TestAppCmdSimple b/e2e/testdata/snapshots/TestAppCmdSimple
@@ -5,6 +5,9 @@
  <name>testmod-simple</name>
  <version>v0.0.0-20210716183230-c7ea7c975ab8</version>
  <purl>pkg:golang/[email protected]</purl>
+ <properties>
+ <property name="cdx:gomod:application:name">001</property>
+ </properties>
  </component>
  </metadata>
  <components>

diff --git a/e2e/testdata/snapshots/TestAppCmdSimpleMultiCommandPURL b/e2e/testdata/snapshots/TestAppCmdSimpleMultiCommandPURL
@@ -1,10 +1,13 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <bom xmlns="http://cyclonedx.org/schema/bom/1.3" serialNumber="urn:uuid:00000000-0000-0000-0000-000000000000" version="1">
  <metadata>
- <component bom-ref="pkg:golang/[email protected]" type="application">
+ <component bom-ref="pkg:golang/[email protected]#cmd/purl" type="application">
  <name>testmod-simple</name>
  <version>v0.0.0-20210901192510-dc2d14d2351d</version>
- <purl>pkg:golang/[email protected]</purl>
+ <purl>pkg:golang/[email protected]#cmd/purl</purl>
+ <properties>
+ <property name="cdx:gomod:application:name">purl</property>
+ </properties>
  </component>
  </metadata>
  <components>
@@ -24,7 +27,7 @@
  </component>
  </components>
  <dependencies>
- <dependency ref="pkg:golang/[email protected]">
+ <dependency ref="pkg:golang/[email protected]#cmd/purl">
  <dependency ref="pkg:golang/github.com/package-url/[email protected]"></dependency>
  </dependency>
  <dependency ref="pkg:golang/github.com/package-url/[email protected]"></dependency>

diff --git a/e2e/testdata/snapshots/TestAppCmdSimpleMultiCommandUUID b/e2e/testdata/snapshots/TestAppCmdSimpleMultiCommandUUID
@@ -1,10 +1,13 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <bom xmlns="http://cyclonedx.org/schema/bom/1.3" serialNumber="urn:uuid:00000000-0000-0000-0000-000000000000" version="1">
  <metadata>
- <component bom-ref="pkg:golang/[email protected]" type="application">
+ <component bom-ref="pkg:golang/[email protected]#cmd/uuid" type="application">
  <name>testmod-simple</name>
  <version>v0.0.0-20210901192510-dc2d14d2351d</version>
- <purl>pkg:golang/[email protected]</purl>
+ <purl>pkg:golang/[email protected]#cmd/uuid</purl>
+ <properties>
+ <property name="cdx:gomod:application:name">uuid</property>
+ </properties>
  </component>
  </metadata>
  <components>
@@ -31,7 +34,7 @@
  </component>
  </components>
  <dependencies>
- <dependency ref="pkg:golang/[email protected]">
+ <dependency ref="pkg:golang/[email protected]#cmd/uuid">
  <dependency ref="pkg:golang/github.com/google/[email protected]"></dependency>
  </dependency>
  <dependency ref="pkg:golang/github.com/google/[email protected]"></dependency>

diff --git a/e2e/testdata/snapshots/TestAppCmdSimpleWithFiles b/e2e/testdata/snapshots/TestAppCmdSimpleWithFiles
@@ -5,6 +5,9 @@
  <name>testmod-simple</name>
  <version>v0.0.0-20210716183230-c7ea7c975ab8</version>
  <purl>pkg:golang/[email protected]</purl>
+ <properties>
+ <property name="cdx:gomod:application:name">001</property>
+ </properties>
  <components>
  <component type="file">
  <name>main.go</name>

diff --git a/e2e/testdata/snapshots/TestAppCmdVendored b/e2e/testdata/snapshots/TestAppCmdVendored
@@ -5,6 +5,9 @@
  <name>testmod-vendored</name>
  <version>v0.0.0-20210716185931-5c9f3d791930</version>
  <purl>pkg:golang/[email protected]</purl>
+ <properties>
+ <property name="cdx:gomod:application:name">001</property>
+ </properties>
  </component>
  </metadata>
  <components>

diff --git a/e2e/testdata/snapshots/TestAppCmdVendoredWithFiles b/e2e/testdata/snapshots/TestAppCmdVendoredWithFiles
@@ -5,6 +5,9 @@
  <name>testmod-vendored</name>
  <version>v0.0.0-20210716185931-5c9f3d791930</version>
  <purl>pkg:golang/[email protected]</purl>
+ <properties>
+ <property name="cdx:gomod:application:name">001</property>
+ </properties>
  <components>
  <component type="file">
  <name>main.go</name>

diff --git a/examples/app_minikube-v1.23.1.bom.json b/examples/app_minikube-v1.23.1.bom.json
@@ -1,46 +1,50 @@
 {
  "bomFormat": "CycloneDX",
  "specVersion": "1.3",
- "serialNumber": "urn:uuid:26ccca90-9735-44e8-bad6-59967428dec0",
+ "serialNumber": "urn:uuid:2df66088-ff65-4895-b7ed-8b980e6c677f",
  "version": 1,
  "metadata": {
- "timestamp": "2021-09-19T16:20:21Z",
+ "timestamp": "2021-09-25T19:52:57Z",
  "tools": [
  {
  "vendor": "CycloneDX",
  "name": "cyclonedx-gomod",
- "version": "v0.0.0-20210919172430-96bd0c538cce",
+ "version": "v0.0.0-20210925214913-cdaccfe30cb0",
  "hashes": [
  {
  "alg": "MD5",
- "content": "f09d9d5ec8a3070ef06c8a716ef58206"
+ "content": "d6c2bf92f7d13841ed21d9c409cf7cf4"
  },
  {
  "alg": "SHA-1",
- "content": "6a76da80a00b8ce762019cb132c576e1dd485e6e"
+ "content": "cf9246e05f2416552edbf4b40ef8c3df259ed751"
  },
  {
  "alg": "SHA-256",
- "content": "b796ac65d8c21b987c2b4a88b329fa56a9b9e79859292701d1767f627c926724"
+ "content": "890a85574c7f68b950f5bc5c08e5a3c32c06e8103de168d5721ec2dcc49fd3b9"
  },
  {
  "alg": "SHA-384",
- "content": "6814ac9dace7d2aeec9a2d9fe11e0c877e71e2852d47a84560db16b5d1a351371773bfa09ba952a4a5b18f78c7d53cd9"
+ "content": "04d28e89523d14fc7dd32c54c4bdbbe99ac12fee427ff69d56ff3f9d98bde3880ab2b77520ff19fd620ab84d39920380"
  },
  {
  "alg": "SHA-512",
- "content": "e73d97ccaac30c039428e688a095efc1c525a8476e12ceb69b26a425defbc786ef09a80a241b7a6de52fb8c38bf9f06a23b971b2344b93e61f88597b4d34d743"
+ "content": "ddfce73b8949a2d7878f1e9154cfc1228cb16cf55c6a7e57583cdc9ac286e653e8e285a64fda677bd8bc5d83dc85e1c1c54b630f2ab31c69881b1c09bf68538b"
  }
  ]
  }
  ],
  "component": {
- "bom-ref": "pkg:golang/k8s.io/[email protected]",
+ "bom-ref": "pkg:golang/k8s.io/[email protected]#cmd/minikube",
  "type": "application",
  "name": "k8s.io/minikube",
  "version": "v1.23.1",
- "purl": "pkg:golang/k8s.io/[email protected]",
+ "purl": "pkg:golang/k8s.io/[email protected]#cmd/minikube",
  "properties": [
+ {
+ "name": "cdx:gomod:application:name",
+ "value": "minikube"
+ },
  {
  "name": "cdx:gomod:build:env:CGO_ENABLED",
  "value": "1"
@@ -3728,7 +3732,7 @@
  ],
  "dependencies": [
  {
- "ref": "pkg:golang/k8s.io/[email protected]",
+ "ref": "pkg:golang/k8s.io/[email protected]#cmd/minikube",
  "dependsOn": [
  "pkg:golang/cloud.google.com/[email protected]",
  "pkg:golang/cloud.google.com/go/[email protected]",

diff --git a/examples/bin_minikube-v1.23.1.bom.json b/examples/bin_minikube-v1.23.1.bom.json
@@ -1,35 +1,35 @@
 {
  "bomFormat": "CycloneDX",
  "specVersion": "1.3",
- "serialNumber": "urn:uuid:6cc44ff9-1816-4343-8ac9-5bcab5a8d691",
+ "serialNumber": "urn:uuid:5171defc-4ecb-4275-b1ef-bf5ff059ed56",
  "version": 1,
  "metadata": {
- "timestamp": "2021-09-19T16:20:48Z",
+ "timestamp": "2021-09-25T19:53:42Z",
  "tools": [
  {
  "vendor": "CycloneDX",
  "name": "cyclonedx-gomod",
- "version": "v0.0.0-20210919172430-96bd0c538cce",
+ "version": "v0.0.0-20210925214913-cdaccfe30cb0",
  "hashes": [
  {
  "alg": "MD5",
- "content": "f09d9d5ec8a3070ef06c8a716ef58206"
+ "content": "d6c2bf92f7d13841ed21d9c409cf7cf4"
  },
  {
  "alg": "SHA-1",
- "content": "6a76da80a00b8ce762019cb132c576e1dd485e6e"
+ "content": "cf9246e05f2416552edbf4b40ef8c3df259ed751"
  },
  {
  "alg": "SHA-256",
- "content": "b796ac65d8c21b987c2b4a88b329fa56a9b9e79859292701d1767f627c926724"
+ "content": "890a85574c7f68b950f5bc5c08e5a3c32c06e8103de168d5721ec2dcc49fd3b9"
  },
  {
  "alg": "SHA-384",
- "content": "6814ac9dace7d2aeec9a2d9fe11e0c877e71e2852d47a84560db16b5d1a351371773bfa09ba952a4a5b18f78c7d53cd9"
+ "content": "04d28e89523d14fc7dd32c54c4bdbbe99ac12fee427ff69d56ff3f9d98bde3880ab2b77520ff19fd620ab84d39920380"
  },
  {
  "alg": "SHA-512",
- "content": "e73d97ccaac30c039428e688a095efc1c525a8476e12ceb69b26a425defbc786ef09a80a241b7a6de52fb8c38bf9f06a23b971b2344b93e61f88597b4d34d743"
+ "content": "ddfce73b8949a2d7878f1e9154cfc1228cb16cf55c6a7e57583cdc9ac286e653e8e285a64fda677bd8bc5d83dc85e1c1c54b630f2ab31c69881b1c09bf68538b"
  }
  ]
  }

diff --git a/examples/mod_minikube-v1.23.1.bom.json b/examples/mod_minikube-v1.23.1.bom.json
@@ -1,35 +1,35 @@
 {
  "bomFormat": "CycloneDX",
  "specVersion": "1.3",
- "serialNumber": "urn:uuid:e1470263-f40c-4ce7-9beb-a3c02ffcc7d3",
+ "serialNumber": "urn:uuid:5edc5a19-e6c2-4d78-b023-2ee41a536e9c",
  "version": 1,
  "metadata": {
- "timestamp": "2021-09-19T16:20:37Z",
+ "timestamp": "2021-09-25T19:53:18Z",
  "tools": [
  {
  "vendor": "CycloneDX",
  "name": "cyclonedx-gomod",
- "version": "v0.0.0-20210919172430-96bd0c538cce",
+ "version": "v0.0.0-20210925214913-cdaccfe30cb0",
  "hashes": [
  {
  "alg": "MD5",
- "content": "f09d9d5ec8a3070ef06c8a716ef58206"
+ "content": "d6c2bf92f7d13841ed21d9c409cf7cf4"
  },
  {
  "alg": "SHA-1",
- "content": "6a76da80a00b8ce762019cb132c576e1dd485e6e"
+ "content": "cf9246e05f2416552edbf4b40ef8c3df259ed751"
  },
  {
  "alg": "SHA-256",
- "content": "b796ac65d8c21b987c2b4a88b329fa56a9b9e79859292701d1767f627c926724"
+ "content": "890a85574c7f68b950f5bc5c08e5a3c32c06e8103de168d5721ec2dcc49fd3b9"
  },
  {
  "alg": "SHA-384",
- "content": "6814ac9dace7d2aeec9a2d9fe11e0c877e71e2852d47a84560db16b5d1a351371773bfa09ba952a4a5b18f78c7d53cd9"
+ "content": "04d28e89523d14fc7dd32c54c4bdbbe99ac12fee427ff69d56ff3f9d98bde3880ab2b77520ff19fd620ab84d39920380"
  },
  {
  "alg": "SHA-512",
- "content": "e73d97ccaac30c039428e688a095efc1c525a8476e12ceb69b26a425defbc786ef09a80a241b7a6de52fb8c38bf9f06a23b971b2344b93e61f88597b4d34d743"
+ "content": "ddfce73b8949a2d7878f1e9154cfc1228cb16cf55c6a7e57583cdc9ac286e653e8e285a64fda677bd8bc5d83dc85e1c1c54b630f2ab31c69881b1c09bf68538b"
  }
  ]
  }

diff --git a/internal/cli/cmd/app/app.go b/internal/cli/cmd/app/app.go
@@ -20,6 +20,7 @@ package app
 import (
  "context"
  "flag"
+ "path/filepath"
  "strings"
 
  cdx "github.com/CycloneDX/cyclonedx-go"
@@ -161,6 +162,8 @@ func Exec(options Options) error {
  bom.Components = &components
  bom.Dependencies = &dependencies
 
+ enrichWithApplicationDetails(bom, options.ModuleDir, options.Main)
+
  if options.IncludeStd {
  err = cliutil.AddStdComponent(bom)
  if err != nil {
@@ -193,11 +196,9 @@ func createBuildProperties() (properties []cdx.Property, err error) {
  continue
  }
 
- if buildEnvVal == "" {
- continue
+ if buildEnvVal != "" {
+ properties = append(properties, sbom.NewProperty("build:env:"+buildEnvKey, buildEnvVal))
  }
-
- properties = append(properties, sbom.NewProperty("build:env:"+buildEnvKey, buildEnvVal))
  }
 
  goflags, ok := env["GOFLAGS"]
@@ -225,3 +226,74 @@ func parseTagsFromGoFlags(goflags string) (tags []string) {
 
  return
 }
+
+// enrichWithApplicationDetails determines the application name as well as
+// the path to the application (path to mainFile's parent dir) relative to moduleDir.
+// If the application path is not equal to moduleDir, it is added to the main component's
+// package URL as sub path. For example:
+//
+// + moduleDir <- application name
+// |-+ main.go
+//
+// + moduleDir
+// |-+ cmd
+// |-+ app <- application name
+// |-+ main.go
+//
+// The package URLs for the above examples would look like this:
+// 1. pkg:golang/../module@version (untouched)
+// 2. pkg:golang/../module@version#cmd/app (with sub path)
+//
+// If the package URL is updated, the BOM reference is as well.
+// All places within the BOM that reference the main component will be updated accordingly.
+func enrichWithApplicationDetails(bom *cdx.BOM, moduleDir, mainFile string) {
+ // Resolve absolute paths to moduleDir and mainFile.
+ // Both may contain traversals or similar elements we don't care about.
+ // This procedure is done during options validation already,
+ // which is why we don't check for errors here.
+ moduleDirAbs, _ := filepath.Abs(moduleDir)
+ mainFileAbs, _ := filepath.Abs(filepath.Join(moduleDirAbs, mainFile))
+
+ // Construct path to mainFile relative to moduleDir
+ mainFileRel := strings.TrimPrefix(mainFileAbs, moduleDirAbs)
+ mainFileRel = strings.TrimPrefix(mainFileRel, "/")
+
+ // The application name is the name of the directory that contains
+ // the main file. There may be cases where this is not true.
+ // We could add a -name flag to override this in the future.
+ var applicationName string
+
+ if mainDir, _ := filepath.Split(mainFileRel); mainDir != "" {
+ mainDir = strings.TrimSuffix(mainDir, "/")
+ applicationName = filepath.Base(mainDir)
+
+ oldPURL := bom.Metadata.Component.PackageURL
+ newPURL := oldPURL + "#" + mainDir
+
+ log.Debug().
+ Str("old", oldPURL).
+ Str("new", newPURL).
+ Msg("updating purl of main component")
+
+ // Update PURL of main component
+ bom.Metadata.Component.BOMRef = newPURL
+ bom.Metadata.Component.PackageURL = newPURL
+
+ // Update PURL in dependency graph
+ for i, dep := range *bom.Dependencies {
+ if dep.Ref == oldPURL {
+ (*bom.Dependencies)[i].Ref = newPURL
+ break
+ }
+ }
+ } else {
+ applicationName = filepath.Base(moduleDirAbs)
+ }
+
+ applicationNameProperty := sbom.NewProperty("application:name", applicationName)
+ if bom.Metadata.Component.Properties == nil {
+ bom.Metadata.Component.Properties = &[]cdx.Property{applicationNameProperty}
+ } else {
+ *bom.Metadata.Component.Properties = append([]cdx.Property{applicationNameProperty}, *bom.Metadata.Component.Properties...)
+ }
+}